If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hybrid View

Looking for a Windows Forensics book

Hi, I am looking to get a Windows Forensics book, as I am totally new to the subject (other than being a windows tech who sometimes gets asked to recover files and get rid of viruses on someone elses comp).

I looked on Amazon, and there are a bunch of books. The ones that had the highest ratings were from people whom I never heard of, and neither did Wikipedia. So I figure a place like AO would know better than amazon reviews which book to recommend. Basically, I would like a book that starts with some basics, but goes into great deal of.. depth?

I would not restrict myself to Windows as there are quite a few forensics tools that are not Windows based, and in some circumstances it is best not to use Windows to work on a Windows system

I would be inclined to use a search engine first rather than go straight to an online bookstore, who are after all, only interested in selling you books?

Also, make sure that what you get is current and relevant to the laws in your part of the World.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

COFEE is a forensics tool, approximately 15MB in size that fits on a USB drive for law enforcement officials to use in PC forensics.

With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.

COFEE can be used to locate parts of a computer's hard drive that criminals could use for identity theft, online fraud, child pornography and other such crimes. It is designed to be easy to use and quick for law enforcement officials. The small program contains 150 commands which simplify and speed up the process of data retrieval. According to a Microsoft spokesperson "an officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device."

COFEE requires Windows XP for configuration however, it does have some Windows Vista support. According to company insiders, Microsoft is developing a new version of COFEE which will be released next year that fully supports Windows Vista and Windows 7.

If your looking for a bootable copy of Linux preloaded with plenty of Forensics tools check out DEFT http://www.deftlinux.net/

I tend to lean more towards Open Source as in my humble opinion it is far superior to a Microsoft solution that knocks around on a tiny USB pen.. Also a device that accesses the Memory and reads and writes to the suspects hard-disk drive is a questionable forensics practice which in itself is a far cry from mirror imaging the actual hard-disk then working with the mirror image thereby not tampering with the evidence in anyway!

Also using a USB forensics solution opens up the possibility of contaminating evidence with Viruses!

Other forensics tools include things like OCFA & Automated Image & Restore, if your going to do forensics, I humbly suggest you ditch Windows, invest in an external mountable Hard-Disk bay.. Like this one.. http://www.maplin.co.uk/module.aspx?moduleno=226653 and consider using Linux related forensics tools.

If you would like to participate in an online digital forensics challenge which takes place every year then a visit to http://www.dc3.mil might be just what your looking for.

As for reading a book, hands on is always better, get some hard-disk images from the DC3 for free then get your hands dirty by recovering the evidence. (if you can)

There are various articles posted all over the Internet about how to be proceed in the field of Digital Forensics, including an article that was published recently by Cryptome about Windows Drive Locker Encryption and how to reverse it completely without a suspects password, so if you thought your documents where safe with a Microsoft Solution think again... http://www.wired.com/threatlevel/201...soft-cryptome/

The document was made freely available to law enforcement by the Microshaft Corporation, just not the rest of the general public it would seem... (I really can't imagine why!)

Microsoft got off lightly with them calling it Decaf, if it had been up to me I would have called it, Fuc'ofee!

Steve Ballmer once described GNU/Linux as a Cancer, yet it is without a doubt Microsoft & Windows that is a Cancer opposing standards where-ever it goes!

Next time you meet a digital forensics expert, ask them what they prefer to use, Windows!?! or Linux!?!

People are given a million dallors by the government to weaken encryption and encryption standards. The thing about Drive Locker was they didn't play ball at first. It was infact, never broken intil the feds payed off the media to create buzz about it protecting pedophiles.

They where told to backdoor it or else the government would create a law, to which they'd have something to sue them for.

Next time you meet a digital forensics expert, ask them what they prefer to use, Windows!?! or Linux!?!

99.9&#37; of the problems stem from the fact that users set themselves up as admin and disable UAC. Whereas linux has so many kernal flaws to date that I compair it more towards erectile dysfunction than cancer.

It is not a forensics tool as such, but a preconfigured preliminary potential evidence gathering tool. Someone using it is the computer forensics equivalent of a script kiddie

Hell, if a cop can learn how to use it in 10 minutes?...............

Also a device that accesses the Memory and reads and writes to the suspects hard-disk drive is a questionable forensics practice which in itself is a far cry from mirror imaging the actual hard-disk then working with the mirror image thereby not tampering with the evidence in anyway!

Exactly my question in the previous thread! I believe that in quite a few countries you would not be complying with evidence gathering regulations as you haven't secured it first.

Provided that accepted evidence preservation practices are adhered to, I can see it speeding up due process, as the preliminary investigation can be carried out by non-skilled personnel. It should also keep costs down.

I wouldn't bother as it is pretty lame, and the original version at least, surreptitiously phoned home and could be remotely disabled by its authors. I cannot see any legitimate reason for those "features"

My conclusion is that whilst "hands on" can be a useful way of learning, COFEE isn't.I have never seen a scipt kiddie make it into a hacker

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Another thing to consider is if they throw in ZuneFS with all those NTFS boxes running off an Open Solaris Server, they can use and abuse the desktop rollback feature when-ever they want to see exactly what you've been doing on your workstation.

@nihil I can see how you might want to use a dial home feature if you where a shadowy agency that wanted to see who was downloading and using Decaf!

@nihil I can see how you might want to use a dial home feature if you where a shadowy agency that wanted to see who was downloading and using Decaf!

That's a very good point, and using an anonymous proxy outside of your Country's jurisdiction wouldn't help. In fact it would be doubly damning?

The strange thing (to me at any rate) is that you hear of very few court cases that actually hinge on digital forensic evidence?

In the UK we have the "Misuse of Computers Act 1989" in all the time it has been in force there have been less than 200 prosecutions under it. I don't know how many convictions that resulted in.

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

As far as I was aware one of the case's handed out by the DC3 back as a challenge in 2008 was based on a real court case heard in front of none other than Judge Judy, the Challenge involved a guy who suffered from paranoid delusions and a conviction that the government where out to get him, lost his Job his wife, his kids, in essence a guy with nothing to loose so his answer was to stock pile alarm clocks, explosives and convert his semi-fire AK47 to fully automatic. People could argue that he was right, because shortly after that according to the Law Enforcement Report he was arrested on Terrorism Charges so in a sense the man was out to get him..

All of the evidence on the disk images had to be extracted, stenographic images, encrypted e-Mails, the occasional virus or two thrown in for good measure etc...

It was all very interesting, but as to weather it was real or just fictional, I have no idea, but it strikes me as a well concocted storyline as youd think a circuit judge would be far to busy with marital disputes and something of that nature would be referred straight to the criminal courts!

But thats a valid point about people never hearing much about it, but then again depending on the nature of the material and evidence involved you might be forbidden to mention it.

We all have bad days but plotting to blow up your employer because he's given you the sack is a little far fetched, take a chill pill, relax.. If all that doesn't work, goto the quickie mart and buy some toe nail clippers, his break fluid lines are under the drivers side on the car body work, give those a snip and you'll feel much better!

@The-Spec, the government don't have to pay people to weaken standards, the human link in the chain is often the /root/ cause of the problem. Look what happened when Geohot announced hacking the PS3, sony promptly announced its next generation of consoles would be Linux unfriendly.

As for them being threatened and bowing to pressure I doubt that, one of there primary customers are Government departments, it's all Windows (TM) Networking behind those firewalls.

They would have done it more to win over decision makers with money! It's a cute anti-feature.

I would hazard a guess they need to sway the big contracts worth $'000'000 with how neat there product is, complete with all that DRM. It's what makes them all that Money.